or Connect
AppleInsider › Forums › Software › Mac Software › Newly found code signing flaw allows for iOS malware
New Posts  All Forums:Forum Nav:

Newly found code signing flaw allows for iOS malware - Page 2

post #41 of 45
God AI, censor much? What you posted is missing so much that you changed the story. Read the original article here, http://www.reuters.com/article/2011/...7A71ZS20111108

"He told Reuters on Monday that several hundred Apple customers had downloaded the free app and that it had connected to his server, but said he had not installed any other software on their devices.

Still, the incident may have proved embarrassing for Apple because its App Store failed to identify that InstaStock was actually a prototype malicious program. That meant there could currently be malware in the App Store that similarly made it past the security vetting process, Miller told Reuters on Monday."

"Apple has good reason to believe that you violated (the iOS developer agreement) by intentionally submitting an App that behaves in a manner different from its intended use," the email said.

"We will deny your reapplication to the iOS Developer Program for at least a year, considering the nature of your acts," the letter read.

Miller is a well-known researcher who in 2009 identified a bug in the iPhone text-messaging system that allowed attackers to gain remote control over the devices.

No matter what type of media...movies, music, books, photos and web pages

look better and sound better on the Kindle Fire HD than any iPad

Reply

No matter what type of media...movies, music, books, photos and web pages

look better and sound better on the Kindle Fire HD than any iPad

Reply
post #42 of 45
"We will deny your reapplication to the iOS Developer Program for at least a year, considering the nature of your acts," the letter read.

Apple's revoking action is one of the ways in which such attackers can be forestalled by making them reapply and reapply again for re-entry to the program, each time paying an entry fee and/or having to assume another bogus identity until it no longer becomes worth their while.

By the way, is anybody seeing evidence that Charlie or some of his cohorts have started unleashing attacks on iPhone users leveraging the vulnerability, or is it just my imagination, or my iOS5 iPhones playing up?
post #43 of 45
Quote:
Originally Posted by airmanchairman View Post

By the way, is anybody seeing evidence that Charlie or some of his cohorts have started unleashing attacks on iPhone users leveraging the vulnerability, or is it just my imagination, or my iOS5 iPhones playing up?

As far as my knowledge of Charlie Miller and his work goes, he has never released anything he's found to anyone but Apple. He gives exploit talks but I don't think anything malicious has ever happened because of it. It wouldn't be very smart to do so because there's the potential for a lot of money to be made from selling your security services. And Charlie Miller knows what he's doing obviously.
post #44 of 45
Quote:
Originally Posted by solipsism View Post

I disagree. Whether it's a proof of concept that he won't release to the public, or intended to harm or steal from users is irrelevant, Apple has to protect their base and ridding someone who wrote an app that breaks guidelines and allows developers backdoor access into a user's device should not be allowed.


I didn't look through all the sections, only 2 and 22 because they appeared to cover many of the offenses committed by Miller with this app so I don't know if there are others that would fit the bill, nor do I know if all the ones I listed fit the bill. Either way, I think it's clear Miller broke an excessive number of rules of the App Store which should not tolerated.

PS: As Steve N. states, "Apple needs to work closer with Miller." But that doesn't mean Miller should be allowed to violate Apple's Store policies.

i agree with following whatever the standard guidelines would be, however, apple should have acknowledged him with at least a 'we thank you for your concern and we are committed to providing the most secure environment possible. Apple will immediately look into this potential issue. However, due to terms of service blah, blah blah kick you out.
i for one think that apple users should be glad that a good guy pointed this out and that it isn't the other way around with an infestation of rogue apps planted by black hat guys doing real damage.
post #45 of 45
Quote:
Originally Posted by solipsism View Post

He did implement it, which is why his app was pulled and he banned from the developer program. Think about it; this isn't Charlie Miller's first rodeo exposing vulnerabilities with Apple's code yet it was only after he used that code to implement an app that he agreed was a legit app that didn't violate any of the terms of service and that Apple, as the retailer, backed did Apple take any action against Miller. Whether you think his overall intent was honorable everything he did in regards to the App Store policies and what users expect from App Store apps was unscrupulous.


I enjoyed that movie.


Let me get this straight. Because there are deceitful methods that can be employed Apple should bend over to placate all those that could potentially do evil movie villain harm? How much should Apple pay these guys that are keeping them hostage?

i don't know about 'holding them hostage' but i don't see this type of animosity regarding Chrome bugs since they pay well for people finding them. A very smart move by google. Apple should do the same.
Waiting and hoping and wishing doesn't make for a good security program.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac Software
AppleInsider › Forums › Software › Mac Software › Newly found code signing flaw allows for iOS malware